It’s important for anyone who owns a WordPress site that it remains well secured. In the past, WordPress, especially the one installed on your hosting, has quite often been criticized at the expense of security and very serious vulnerabilities that were present in the factory settings, more precisely because it’s so open and flexible.
Official Google data says that as many as 10,000 websites are misused and about 50,000 identity thefts happen every day. Because of all this, it’s important to secure your website well from hackers. Given that hundreds of developers work on that platform on a daily basis to justify a good reputation, these problems have been resolved in recent years and WordPress sites can be generally declared safe.
WordPress Is Well-Secured, but…
Although the situation is much better now, it’s certainly not ideal. Precautions should still be taken so have an approach to this matter in the way that WordPress is far from a completely secure system. In this article, we’ll try to explain to you how hackers can attack your WordPress site and how you can defend yourself from most of their techniques.
By this, however, we mean 90% of hackers who use other people’s techniques, tools, and scripts, because only a handful of plugins will save you from a real hacker attack. At the same time, there’s also a very small chance that you’ll ever be the target of such an attack, and that’s why lower-ranking hackers, so-called script kiddies, are the only threat you need to focus on.
However, we must emphasize that sometimes there’s nothing you could do to prevent an attack and for this reason you must always have a back-up of your website ready. Schedule regular back-ups and find out about all the solutions that exist in regard to this.
A List of the Most Obvious Vulnerabilities of Your WordPress Site
- Your site has an account named Admin/Administrator or something similar
- You log in to your site via the link mysite.com/wp-admin
- Your site uses pirated themes/plugins
- You keep your site with a hosting company that has bad support and no reputation
- Your site has no automated back-up
- Your password contains the name of your pet, child, loved one, best friend, etc. and is no longer than 10 characters
- You don’t use any trusted security plugin
- You don’t know what DDoS, defacement and/or brute-force is or who these script kiddies are
If you find yourself on this list, then keep reading the article because you definitely have a lot to work on if you care about the security of your website. Of course, there’s no need for premature panic or paranoia, nor should you worry that you won’t understand these things. The concepts described below are quite simple and easy to apply.
An Overview of Basic Hacker Attacks and Methods
Not every hacker wants to harm you and bring down your website. Many of these avengers and justice fighters call themselves “white-hat” hackers and their goal is to point out to others the security issues of their website.
Their favorite method is a technique known as website defacement by which they won’t do much damage to your system. It’s a method of removing the index.php file from your directory and its replacement with the hacker’s index.html file.
As a result, whenever someone enters your homepage they will see a message such as “This website was hacked by ‘group X’ from ‘country X’, secure your site better”. For them, this is a great opportunity to practice and learn, but also to do a good deed. Of course, a lot of people do defacement for malicious reasons, but this is usually a problem of the lowest priority and is very easy to prevent and solve.
The next method often used by script kiddie hackers is the brute-force and it involves scanning the website for weaknesses and vulnerabilities, as well as trying out all possible combinations and cryptographic keys. In theory, any system that has some sort of vulnerability could be approached in this way but fortunately, this is far from everyday practice.
However, such an attack should certainly be taken seriously. If you don’t update WordPress and its plugins regularly, you may be in great danger.
3. Injecting a Virus
The following method is quite unique for WordPress, and it’s the insertion of viruses and malware through free and pirated themes and plugins. Sometimes it’s enough to be guided by honest, common sense if you want to avoid such an attack.
Malicious viruses and software will try to pin spam on your website or steal confidential information from your users. If your website is infected then it will very quickly be penalized by browsers as well as antivirus programs used by your users.
We’d highlight DDoS and DoS attacks )which are abbreviations for distributed denial-of-service and denial-of-service attacks, respectively) because this is a very common type of attack.
In principle, the idea is very simple, and here’s an easy way to imagine it: let’s say you have a small hosting package and you get 100,000 visitors at once instead of the usual 100. What will happen? Due to a lack of server resources, your website will be unavailable indefinitely, but at least you got so many visits, right? This sounds fair, but the problem arises when someone intentionally uses machines to load and crash your website. However, in most cases, only larger websites and services generally have this problem.
5. Attack on Hosting Server
Also, sometimes there are attacks that are directly targeted to the server on which your website is hosted or to your virtual neighbor with whom you share server resources. In this case, there’s absolutely nothing you can do other than back up your website and contact your provider’s customer support. Long-term users of shared hosting packages probably know what we’re talking about.
Let’s dwell a little more on the topic of hosting. This is one of the most important items to avoid hacker attacks. Mostly smaller sites and smaller business sites are on shared hosting. If you’re one of those, inquire well about your provider. Namely, if you share hosting space, it means that you share server resources with other clients. As we have already pointed out, this opens the risk that hackers will attack you from the website with which you share space on the server.
MySQL hosting type proved to be highly effective for WordPress websites. That’s because WordPress depends on MySQL to store data for producing output by making requests for both read and write operations to MySQL. Each of these requests creates a load on the server meaning that your website needs a more and more powerful server depending on the load. By leasing one of the various plans having different bandwidths, MySQL hosting will help your website withstand high traffic. Given that your server is only as capable as your network provider, if the latter doesn’t provide the bandwidth you require, you may need to negotiate an increase, or find a different one.
Good hosting providers keep your website and information:
- They are constantly checking their server to resist a sudden attack
- They have a tool to fight severe DDoS attacks
- They update their server software and hardware to prevent hackers from exploiting a known security vulnerability in an older version
- They are ready to implement disaster recovery plans that allow them to protect your data from a major accident
Summary - Steps to Better Security
So, now that you understand these attacks a little better, we can sum up some things that immediately come to mind when speaking of WordPress site security:
- You need a strong and (relatively) long password that doesn’t contain any of your personal information.
- You need to secure the root directory.
- You need to secure sensitive locations such as the Admin Dashboard login screen.
- You need to prevent robots from indexing new pages too quickly (scanning the site), but do so carefully so as not to ban Google bots or similar.
- It’s recommended that you find a trusted hosting company with good customer support.
- You need to make sure you have a trusted theme and plugin (premium themes and plugins with good ratings are usually the safest solution).
- You must always have the latest version of your software through regular updates.
- You need to have regular back-ups for “God forbid” situations.
After presenting the theory, here are some practical tips in terms of plugins that can make the “life” of your website easier.
Download some of the security plugins that will monitor your website and report any unusual occurrences (website monitoring, failed login attempts, malware scanning…). We suggest that you download the Sucuri Security or Wordfence plugins.
These plugins have a lot of features, essentially, all the features that every WordPress security plugin must have:
- WAF (Web Application Firewall) including DNS Level Website Firewall and Application Level Firewall
- SSL/HTTPS transfer protocol
- Change of Admin username
- Disabling PHP files in certain directories
- Limiting the number of login attempts
- Enabling multiple authentication factors
- Disabling indexing and directory browsing
- Automatic logout of inactive users
- Adding a security login question
When you apply all of the above-mentioned steps, be sure that your website is an impenetrable tower for every hacker.